US Justice Department Exposes Chinese Government’s Global Cybercrime Network

The US Department of Justice (DOJ), in collaboration with the FBI, the Naval Criminal Investigative Service, and the Departments of State and Treasury, has taken decisive action to dismantle a vast cyber-espionage network linked to China’s intelligence services. The crackdown targets 12 Chinese nationals, including officers from the Ministry of Public Security (MPS) and employees of Anxun Information Technology Co. Ltd. (i-Soon), a company deeply embedded in China’s hacker-for-hire ecosystem.

Chinese Cyber Mercenaries: A Global Threat

Operating as freelancers or under the directive of China’s MPS and Ministry of State Security (MSS), these individuals orchestrated widespread cyber intrusions. Their targets ranged from critics of the Chinese Communist Party (CCP) and religious organisations in the United States to foreign governments in Asia and even US federal agencies, including the Department of the Treasury.

“These state-backed hackers executed reckless cyberattacks to suppress free speech and steal sensitive data globally,” said Sue J. Bai, head of the DOJ’s National Security Division. “By exposing this network, we are holding accountable those responsible for these indiscriminate attacks.”

The FBI’s Cyber Division Assistant Director, Bryan Vorndran, also issued a strong warning, highlighting how the MPS has been funding hackers-for-hire to target American individuals and institutions. “To those aiding the CCP’s cyber warfare - be warned. We will track, identify, and expose your activities for the world to see,” Vorndran asserted.

The Role of i-Soon in China’s Hacker-for-Hire Ecosystem

Court documents reveal how China’s intelligence agencies relied on i-Soon and similar private firms to mask their cyber operations. These groups indiscriminately exploited vulnerabilities, often selling stolen data not only to the Chinese government but also to third-party buyers.

Investigators found that i-Soon and its employees amassed tens of millions of dollars by hacking email accounts, mobile phones, servers, and websites. The company allegedly provided its services to at least 43 different MSS and MPS bureaus across 31 provinces and municipalities in China. In some cases, i-Soon also trained Chinese government officials in cyber intrusion techniques.

Among its many targets, i-Soon focused on:

• Religious groups including a major US-based organisation that has criticised the PRC.

• Journalists and news outlets particularly those opposing the CCP or disseminating uncensored information in Asia.

• Government agencies including the US Treasury and the foreign ministries of Taiwan, India, South Korea, and Indonesia.

FBI Seizes i-Soon’s Primary Domain & Indicts Key Players

In a federal court in Manhattan, US authorities unsealed an indictment against eight i-Soon employees and two MPS officers, charging them with cyber intrusions dating back to 2016. Concurrently, the US government has seized i-Soon’s main website, further crippling its operations.

The following individuals have been identified as key players in this operation:

• Wu Haibo (吴海波) – i-Soon CEO

• Chen Cheng (陈诚) – Chief Operating Officer

• Wang Zhe (王哲) – Sales Director

• Liang Guodong (梁国栋), Ma Li (马丽), Wang Yan (王堰), Xu Liang (徐梁), Zhou Weiwei (周伟伟) – Technical staff

• Wang Liyu (王立宇), Sheng Jing (盛晶) – MPS officers

All suspects remain at large. The US State Department’s Rewards for Justice (RFJ) programme is offering up to $10 million for information leading to their identification or capture.

APT27 Hackers Indicted for Global Cybercrime

Two additional Chinese hackers, Yin Kecheng (尹可成) and Zhou Shuai (周帅), linked to Advanced Persistent Threat 27 (APT27)—also known as "Emissary Panda" or "Lucky Mouse"—were also indicted in a Washington, DC court.

Between 2013 and 2024, these cybercriminals infiltrated US technology firms, defence contractors, law firms, and local governments, causing millions in damages. Yin and Zhou were financially motivated, stealing data not only for the Chinese government but also for sale in underground cyber markets.

Authorities have since seized the internet domains and servers they used to conduct their activities. In addition, the US Treasury’s Office of Foreign Assets Control (OFAC) has imposed sanctions on Yin, Zhou, and Shanghai Heiying Information Technology Co. Ltd., a firm Zhou used for his hacking operations.

The State Department is offering $2 million rewards for information leading to the arrests of Yin Kecheng and Zhou Shuai.

International Cybersecurity Response

The DOJ’s actions highlight the growing threat posed by China’s state-sponsored hacking activities and the global cybersecurity risks posed by hacker-for-hire networks.

In a coordinated response, private sector firms Microsoft, Volexity, PwC, and Mandiant have released reports exposing Silk Typhoon (APT27)’s tactics, techniques, and targeting of the IT supply chain.

“This is a critical step in disrupting a dangerous cyber-mercenary ecosystem that threatens businesses, governments, and individuals worldwide,” said Interim US Attorney Edward R. Martin Jr. for the District of Columbia.

Ongoing Investigations & International Implications

The DOJ, FBI, and their partners remain committed to exposing and dismantling these cyber operations. The involvement of state-backed actors in commercial cybercrime presents a direct challenge to global cybersecurity and international law.

These indictments serve as a stark warning to cybercriminals operating under the protection of hostile nation-states: the international community is watching, and justice will be served.

View the indictments here U.S. v. Wu Haibo et al., U.S. v. Yin Kecheng, U.S. v. Zhou Shuai et al.

Read the press release here.